Показать сообщение отдельно
Старый 03.10.2013, 14:58   #2
SynQ
 
Регистрация: 11.07.2010
Сообщений: 954
Репутация: 352
По умолчанию

Firefox URL quote encoding patch

The purpose of this patch is to get rid of a single quote url-encoding in HTTP requests.

Since version 3.0 (commit) Firefox started to url-encode a single quote into %27. Sometimes such behavior can affect your ability to detect a SQL injection when, for example, $_SERVER["QUERY_STRING"] and $_SERVER["REQUEST_URI"] are used directly in SQL queries.

The patch is versatile and can patch multi-platform Firefox: xul.dll (Windows), libxul.so (Linux), XUL (Mac OS X). It should also work with FF derivatives such as Palemoon/SeaMonkey/younameit.

This patch allows you to modify the behavior of a single, double and back quotes, though most users should be interested in patching only the single quote behavior.
The patch is reversible, applying it twice with the same options reverts the changes.

Having installed, the patch interrupts update process of Firefox.
So even the check for updates should be done only with the original xul.dll file in place. Basically, undo the patch (i.e. run it again with the same options as before, or just copy the original xul.dll), then update Firefox, and apply the patch once again.
The power of batch files could be used to automate this process.

Default paths:
Код:
C:\Program Files\Mozilla Firefox\xul.dll
/usr/lib/firefox-4.0/libxul.so
/usr/lib/xulrunner-2.0/libxul.so
/Applications/Firefox.app/Contents/MacOS/XUL
Popular browsers behavior on quotes:
Код:
IE9:	 GET /index.php?id=q'w"e`r HTTP/1.1
Safari5: GET /index.php?id=q'w%22e`r HTTP/1.1
Opera11: GET /index.php?id=q'w%22e%60r HTTP/1.1
FF3.0a4: GET /index.php?id=q'w%22e%60r HTTP/1.1
FF3.0a6: GET /index.php?id=q%27w%22e%60r HTTP/1.1
Код:
#!/usr/bin/env python
#
# Firefox URL quote encoding patch
# written by SynQ, rdot.org
import sys

sequence_start = '\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xB9\x03\x00\x00\x10\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xF0\x03\x00\x00'
sequence_middle_3to8 = '\x90\x03\x00\x00'
sequence_middle_9plus = '\xF0\x03\x00\x00'
sequence_end = '\x00\x00\x00\x00\xF0\x03\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\xF0\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\xFF\x03\x00\x00\x80\x03\x00\x00\x80\x03\x00\x00\x80\x03\x00\x00\x80\x03\x00\x00\xFF\x03\x00\x00'

def writefunc( write_offset ):
    orig_offset = f.tell()
    f.seek(write_offset)
    byte = f.read(4)
    f.seek(write_offset)
    if byte == enc:
        f.write(no_enc)
        print 'This quote have been sent encoded (original behavior), now changed to have no encoding'
    elif byte == no_enc:
        print 'This quote have been sent unencoded (patched behavior), reverted it back to original behavior'
        f.write(enc)
    else:
        print 'Error at sequence patching'
    f.seek(orig_offset)
    return

enc = '\x00\x00\x00\x00'
no_enc = '\xFF\x03\x00\x00'
single_quote = -1 * 4
double_quote = -6 * 4
back_quote = 56 * 4

tail = 512
buf_size = 2048*512
blk_size = buf_size-tail
blk_count = 0
found = False
mac = False
##################################################################
if len(sys.argv) < 3:
    print '\nUsage:', sys.argv[0], 'xul_file.ext [single_quote | double_quote | back_quote]\n'
    print 'If you\'re trying to patch old FF version (from 3.0 to 8.0) add "ff_v3-8" parameter to the end.\n'
    print 'To change several quotes encoding, run the patcher several times.\nPatching the same quote 2 times, reverts it back.'
    sys.exit(1)

filename = sys.argv[1]
if sys.argv[2] == 'single_quote':
    quote = single_quote
elif sys.argv[2] == 'double_quote':
    quote = double_quote
elif sys.argv[2] == 'back_quote':
    quote = back_quote
else:
    print 'Wrong quote type!'
    sys.exit(1)

if len(sys.argv) == 4 and sys.argv[3] == 'ff_v3-8':
    sequence = sequence_start + sequence_middle_3to8 + sequence_end
else:
    sequence = sequence_start + sequence_middle_9plus + sequence_end
##################################################################
f = open(filename, 'r+b')
counter = 0
data = f.read(buf_size)
while data:
    offset = data.find(sequence)
    if offset >= 0:
        counter += 1
        offset += blk_count*blk_size
        found = True
        print 'Found magic sequence at offset', offset
        if counter > 2:
            print 'Uhm... found more than 2 sequence occurences, that shouldn\'t happen!'
            sys.exit(1)
        elif counter == 2:
            mac = 1
        writefunc(offset + quote)
    blk_count += 1
    data = data[-tail:] + f.read(blk_size)
    if len(data) == tail:
        break
f.close()

if mac:
    print '\nSeems like it was a Mac XUL file'
if not found:
    print 'Nothing has been found. Either you\'ve specified the wrong FF version or it\'s not a XUL file at all.'

Последний раз редактировалось SynQ; 05.10.2013 в 13:33..
SynQ вне форума   Ответить с цитированием